Distributing Certificates

Phil Mayers p.mayers at imperial.ac.uk
Fri Jan 20 17:47:11 CET 2012


On 01/20/2012 02:36 PM, Alan Buxey wrote:

> CA distribution was always the issue for private CA - but most sites now go for
> using a deployment tool of some kind to get clients set up - and all of them can deal with
> installing a CA, so thats a problem gone.  the system is closed-loop, visitors never need to
> trust your RADIUS server cert...only your own folk do - so why use public in this space?

Couple of things to note:

Firstly, *if* you are using a public CA you should try very, very hard 
to ensure your clients are checking the cert CN. This somewhat 
alleviates the "anyone can buy a cert" risk.

Secondly, there's not much point in going for a "super cheap" public CA. 
You only need one cert, and don't need very esoteric options like EV or 
multiple subjectAltNames. This keeps the cost reasonably sane, and 
therefore you might as well shell out for a Verisign (or similar) one.

Doing that gives you a slightly better chance the CA will not hand out 
random crap to attackers, and *much* better probability the CA will be 
present on clients already.

You mention "most sites use a deployment tool". I'd be interested to see 
numbers on that, but it's probably OT for the list.

As I've said previously - people thinking of using a public CA should be 
very sure they understand and accept the risks. I agree the safe default 
is to use a private CA.



More information about the Freeradius-Users mailing list